Skip to content

Hide Navigation Hide TOC

darkrace (b6aa46b3-46f5-522f-931f-b1ac57e8aadc)

DarkRace is a moderately destructive ransomware strain observed since 2024. It encrypts files and appends a randomized extension (e.g., .1352FF327) that varies per victim. Implemented as a 32-bit Windows application, it disables antivirus defenses, deletes volume shadow copies, terminates processes, and drops ransom note files for payment negotiation. Technical weaknesses in its encryption have enabled developers to produce a universal decryptor that works against DarkRace and related variants.

Cluster A Galaxy A Cluster B Galaxy B Level
darkrace (b6aa46b3-46f5-522f-931f-b1ac57e8aadc) Ransomware donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 1
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2
Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Scripting - T1064 (7fd87010-3a00-4da3-b905-410525e8ec44) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Indirect Command Execution - T1202 (3b0e52ce-517a-4614-a523-1bd5deef6c5e) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2
File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 2
Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 3
Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 3
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 3
Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0) Attack Pattern Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern 3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92) Attack Pattern 3
Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0) Attack Pattern Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern 4